So when we were rolling out our managed Windows 7 platform which we had spent a considerable amount of time planning and diligently removed local admin rights from all staff other than IT Staff (you know the guys cause the most issues with local admin, but I digress), I noticed one of our more IT savvy staff members installing the latest version of Firefox onto his computer. On prompting him that he was breeching our policy of installing software he laughed me off and said don’t worry about it, because if you hit no when the UAC prompt comes up you can still install it. To say I was a bit miffed would be an understatement, so I went and did some digging. It appears that Mozilla when they created the installation package they set it so if the user account being used to install doesn’t have access to Program Files it will install it into the user’s profile (c:\%username%\appdata\local\mozilla firefox\) to be precise, so short of black listing the installer every time there is a release there was little we could do.
Fast forward 18 months, 2 Building relocations and 2/3 of the fleet replaced with shiny new laptops to match the activity based working layout. We are finally getting time to sit down and do all of the feature adds that have been deemed nice to have, but not must haves. You know like the upgrade to SCCM 2012, along with a plan to deal with the browser sprawl that has occurred, since we rolled out Windows 7. Let face it the easiest way to combat this would be set up a Baseline in SCCM to detect when a browser other than the supported version of IE has been installed and remediate. But being well almost 2014 and embracing the whole empowerment of the users and all of that fun stuff, how can we set this up for self service, while cleaning up the legacy installs, the update process doesn’t handle the admin rights like the installer so we still have installs all the way back to version 9.
So I saw Sherry Kissinger’s post here which details how to disable the update process for Admin installs of Firefox, which is great and works really well. But it doesn’t handle our use case of per user installs of Firefox. So I had a quick look into the scripts that Sherry was using, and found that by adding in a looping function to step through the sub folders in c:\users looking for the Mozilla Firefox folder, and just created the files to disable the update process so the users don’t get prompted for updates that they can’t complete.
This got me thinking, can we use compliance settings to remediate the per user installs of Firefox, the short answer is yes, but it’s a little bit more complicated than using the remediation task in the compliance settings as we need to be able to install the latest version of Firefox. We can handle this by creating a device Collection using the following Query:
select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceId = SMS_R_System.ResourceId where SMS_G_System_CI_ComplianceState.LocalizedDisplayName = “FireFox Per User install” and SMS_G_System_CI_ComplianceState.ComplianceStateName = “Non-Compliant”
Of course this is after you have deployed the “FireFox Per User Install” configuration baseline to all of your computers. Then the remediation is as simple as creating an application to deploy to collection to run the attached script which will cycle through all of user profiles, and run the per user uninstall string of “c:\users\%username%\appdata\local\mozilla firefox\uninstall\helper.exe /s” and then clean up the Firefox shortcut for each of the user profiles. Once this is complete we can then execute an admin install of Firefox for the computer and disable the auto update process.